We established this Privacy Notice for the purposes of compliance with the applicable data protection laws in Rwanda. This Privacy Notice sets our standards towards the access and use of any personal data, or any other information provided from you or any other sources to us. Please also read Terms and Conditions ("Terms"), which describe the terms under which you access and use our Services.

We are required to receive or collect some personal information to operate, provide, improve, understand, customize, support, and market our Services. This also includes when you apply for, install, access, or use our Services. The types of information we receive and collect depend on how you use our Services. We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped as follows:

• Identification data: Name, username or similar identifier, Identity card/Passport number, PIN number, marital status, signature, race, nationality, ethnic or social origin, age, title, date of birth and gender, and any other similar information.
• Contact data: Billing address, postal address, physical address, email address and telephone numbers.
• Financial data: Any bank account details, card payment details and other electronic or non-electronic payment details.
• Transaction data: Details about payments to and from you and other details of products and services you have acquired from us.
• Technical data: Internet protocol (IP) address, your login identity data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our systems.
• Profile data: Your profile identification information, purchases or orders made by you, your interests, preferences, feedback and survey responses.
• Usage data: Information about how you use our website, products and services.
• Marketing and communications data: Should you opt-in in to receiving marketing information from us and our third parties and your communication preferences.
• Customer support or Communication data: Copies of your messages, and how to contact you so we can provide you with customer support.

We will collect and process data about you from the following sources:

Information you provide us: This is information about you that you give us by filling in application forms that We give to you or by corresponding with us by phone, e-mail or otherwise. This includes the personal data you provide when you apply for our products or services, subscribe to our services or publications, use our digital applications, request marketing information, enter a competition, promotion, or survey, or give us feedback.

Information we collect about you automatically: With regard to each of your user visits to our website and your use of our Services we will automatically collect technical information (IP address, login information, browser type, time zone setting, operating system). We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies.

Information we receive from other sources: We receive your Personal Data from third parties who provide it to us, including public sources (companies registry and other government registries), service providers we interact with, and trusted partners who provide us with information about potential customers.

We will only use your Personal Data where we have your consent or a legal basis to process the same. We will use your Personal Data in the following circumstances:

• To perform the contractual agreement, we are about to enter into or have entered into with you.
• For purposes of our legitimate interests (or those of a third party) in instances where your interests and fundamental rights do not override those interests.
• To comply with a legal obligation.

Additionally, we use your personal data to deliver and personalize our services, manage risk, security and crime prevention (including fraud reporting), administer and protect our business, study how customers use our products, undertake surveys, and use data analytics to better understand your credit risk needs. We may collect special categories of Personal Data about you including details about your race or nationality, health, and biometric data.

We may disclose your Personal Data to other entities within the affiliates of BK INSURANCE. In addition, we may disclose your data to Government authorities and regulators, financial institutions, and partners such as Reinsurers, Co-insurers, technology service providers, and professional advisers (lawyers, auditors). If a merger or acquisition happens, the new owners may use your Personal Data in the same way set out in this Notice. Third parties are only allowed to process data according to our instructions and for specified purposes.

We may use your identity, contact, technical, usage and profile data to decide which products, services and offers may be relevant to you. You will receive marketing communication from us if you have requested such information and provided express consent.

Opting Out: You can ask us or third parties to stop sending you marketing messages at any time by writing to us, adjusting your preferences on our website, or following opt-out links on any marketing message. Opting out does not apply to Personal Data provided because of a product or service subscription, warranty registration, or other transactions.

We will only retain your Personal Data for as long as is reasonably required to fulfil the purpose for which it was obtained, including any legal, regulatory, tax, accounting, or reporting obligations. Legally we are required to retain basic information about our customers (including contact, identity, financial and transaction data) for a minimum of ten years after they cease being customers. In some circumstances, we will deidentify your Personal Data for research or statistical purposes, in which case we may use this information indefinitely without further notice.

If you apply for a service, your application may be processed by an automated decision-making process which may carry out credit and affordability assessment checks. Where these automated processes suggest a rejection, we will manually review your application before making a final decision. We also carry out automated anti-money laundering and sanctions checks. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide services or stop providing existing services, and a record of the risk will be retained by fraud prevention agencies.

We do not knowingly collect personally identifiable information from anyone under the age of 18 without verification of parental consent. We additionally employ the use of age-gating to ensure this. If we become aware that we have collected Personal Data from children without verification of parental consent, we shall take steps to securely dispose the information from our servers.

We may need to transfer or store your information in another jurisdiction to fulfill a legal obligation, for our legitimate interest and to protect the public interest. If the other jurisdiction does not have the same level of protection, we shall put in place appropriate safeguards e.g., contractual commitments to ensure the data is adequately protected. We require all our related companies to follow the same rules when processing your Personal Data.

Subject to legal and contractual limitations, you have the following rights:

• Right to access Personal Data that we hold about you.
• Right to request that we correct your Personal Data where it is inaccurate or incomplete.
• Right to request that we erase your Personal Data (noting we may continue to retain it if obligated).
• Right to object and withdraw your consent to the processing.
• Right to request restricted processing.
• Right to request transfer of your personal data in a format we shall determine.

We may need to request specific information from you to help us confirm your identity before processing any request. We try to respond to all legitimate requests within a reasonable time.

We have put in place appropriate security measures to prevent your Personal Data from being lost, used or accessed in an unauthorized way, altered or disclosed. Access is limited to those employees, agents, contractors and third parties who have a business need to know. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator where legally required.

Changes: We reserve the right to modify or update this Privacy Notice at any time. Your use of the Website following changes constitutes acceptance.

Contact information: If you have any questions or queries regarding this notice, please contact us at bkgi@bk.rw.